On March 6, 2020, the Irish Supervisory Authority (“DPC”) issued guidance on how companies should process personal data when taking steps to contain the spread and mitigate the effects of COVID-19.
The DPC made clear that data protection law does not stand in the way of the provision of healthcare and the management of public health issues, but stressed that companies should be mindful of the following obligations when processing personal data in the context of the COVID-19 crisis:
Legal bases: According to the DPC, where organizations are acting on the guidance or directions of the competent public authorities, it is likely that the relevant data processing may be considered lawful on the basis that it is “necessary for reasons of public interest in the area of public health” under Article 9(2)(i) GDPR. However, suitable safeguards should be implemented. Such safeguards may include limitation on access to the data, strict time limits for erasure, and other measures such as adequate staff training to protect the data protection rights of individuals.
In addition, the DPC found that companies may rely on Article 9(2)(b) GDPR (“obligations in the field of employment”) to process the personal data of their employees, as employers have a legal obligation to protect their employees under the Irish Safety, Health and Welfare at Work Act 2005 (as amended). However, employers should rely on this legal basis only where it is deemed necessary and proportionate to do so, and should ensure that any data that is processed be treated in a confidential manner, as elaborated below.
Furthermore, the DPC took the view that in emergency situations, where no other legal basis can be identified, companies may be in a position to rely on Article 9(2)(c) GDPR to process personal data to protect the vital interests of an individual data subject or other persons.
In light of the above, according to the DPC, employers would be justified in “asking employees and visitors to inform them if they have visited an affected area and/or are experiencing symptoms”, as well as “requiring employees to inform them if they have a medical diagnosis of COVID-19 in order to allow necessary steps to be taken”. Nonetheless, it stated that “implementation of more stringent requirements, such as a questionnaire, would have to have a strong justification based on necessity and proportionality and on an assessment of risk”.
Transparency and privacy notices: The DPC stressed that organizations processing personal data must be transparent regarding the measures they implement to limit the spread of COVID-19. In particular, they must provide the concerned individuals with an appropriate, concise and easily understandable notice, which should specify, among other things, the purpose of collecting the personal data and how long the data will be retained for.
Confidentiality and security: The DPC held that employers should make sure that they process the personal data of their employees in a way that ensures their security and confidentiality; the identity of affected individuals should not be disclosed to any third parties or to their colleagues without a specific justification. In other words, an employer may inform its staff that there has been a case, or suspected case, of COVID-19 in its organization and ask them to work from home, but the affected individual should not be named.
Data minimization: The DPC also warned companies that they should process only the minimum amount of data that is necessary to achieve the purpose of implementing measures to prevent or contain the spread of COVID-19.
Record keeping: According to the DPC, controllers should ensure that they document any decision-making process regarding measures implemented to manage COVID-19, which involve the processing of personal data.
The publication of the DPC’s guidance follows the publication of similar guidance by other European regulators, including those of France, Denmark, Iceland, Italy, Luxembourg, Norway, and Poland. However, the authorities of some major European jurisdictions, like Germany and Spain, have not yet published guidance on this matter, but might do it soon. The European Data Protection Board (“EDPB”) might also decide to intervene at some point, given that the views of EU supervisory authorities are not always aligned. Covington will continue to monitor developments in this area.